/** * @brief Constructor for Password Authentication * * @param string $username The username for which to validate the token * @param string $password The user's password. */ public function __construct() { $token = request::get('token')->toString(); $apikey = config::get('lepton.user.engage.apikey'); $ret = new HttpRequest('https://rpxnow.com/api/v2/auth_info', array('method' => 'post', 'parameters' => array('apiKey' => $apikey, 'token' => $token, 'format' => 'xml'))); $dom = DOMDocument::loadXml($ret->responseText()); $domx = new DOMXPath($dom); // Get the status $status = $domx->query('/rsp')->item(0)->getAttribute('stat'); if ($status == 'ok') { // Call on the successful callback method event::invoke(EngageEvents::EVENT_SUCCESSFUL_CALLBACK, array('profile' => $dom, 'profiletext' => $ret->responseText())); // Extract the values $identifier = $domx->query('/rsp/profile/identifier')->item(0)->nodeValue; $displayname = $domx->query('/rsp/profile/displayName')->item(0)->nodeValue; $provider = $domx->query('/rsp/profile/providerName')->item(0)->nodeValue; $firstname = $domx->query('/rsp/profile/name/givenName')->item(0)->nodeValue; $lastname = $domx->query('/rsp/profile/name/familyName')->item(0)->nodeValue; $preferredusername = $domx->query('/rsp/profile/preferredUsername')->item(0)->nodeValue; $email = $domx->query('/rsp/profile/email')->item(0)->nodeValue; // Sign in $db = new DatabaseConnection(); $idrs = $db->getSingleRow("SELECT * FROM userengage WHERE identifier=%s", $identifier); if ($idrs) { $cu = $idrs['userid']; $db->updateRow("UPDATE userengage SET lastseen=NOW(), lastip=%s WHERE id=%d", request::getRemoteIp(), $idrs['id']); } else { if (!user::isAuthenticated()) { if (!config::get(EngageAuthentication::KEY_ALLOW_CREATION, false)) { throw new SecurityException("User creation is disabled for EngageAuthentication"); } // Check username, add random numbers if not available $username = $preferredusername; $retrycount = 0; while (!user::checkUsername($username)) { $username = substr($preferredusername, 0, 6) . rand(1000, 9999); $retrycount = $retrycount + 1; if ($retrycount > 10) { throw new UserException("Bad username"); } } // Generate a new password $password = substr(md5(uniqid()), 0, 6); // And create the userrecord $u = new UserRecord(); $u->username = $username; $u->password = $password; $u->flags = config::get(EngageAuthentication::KEY_DEFAULT_FLAGS, EngageAuthentication::DEFAULT_FLAGS); $u->displayname = $displayname; $u->firstname = $firstname; $u->lastname = $lastname; $u->email = $email; $cu = user::create($u); session::set(self::SESSIONKEY_USER_CREATED, true); } else { $cu = user::getActiveUser(); } // Add identifier to user $db->updateRow("INSERT INTO userengage (userid,identifier,provider,lastseen,lastip) VALUES (%d,%s,%s,NOW(),%s)", $cu, $identifier, $provider, request::getRemoteIp()); } $this->userid = $cu; } else { $this->userid = null; } }
/** * @brief Assign a user to the current session. * * @param $id The user id to assign */ protected function setUser($id) { // Check if the user is active $u = user::getUser($id); if ($u == null) { throw new UserException("Unassociated user id / Integrity failure", UserException::ERR_USER_UNASSOCIATED); } if (!$u->active) { throw new UserException("User is not active, check audit log", UserException::ERR_USER_INACTIVE); } // TODO: Assign to session if (ModuleManager::has('lepton.mvc.session')) { session::set(User::KEY_USER_AUTH, $id); } if (class_exists('request')) { $db = new DatabaseConnection(); $db->updateRow("UPDATE users SET lastlogin=NOW(), lastip=%s WHERE id=%d", request::getRemoteIp(), $id); } if (class_exists('UserEvents')) { event::invoke(UserEvents::EVENT_USER_LOGIN, array('id' => $id)); } }
/** * @brief Validate the session. * Activated using the configuration key * 'lepton.security.strictsessions'. A session-bound validation * cookie is matched against the information of the current * request. * * Will stop execution if the details mismatch. */ static function validate() { // Grab the validation cookie $vc = session::get(session::KEY_VALIDATION, null); if (!$vc) { $vc = array('ip' => request::getRemoteIp()); // 'ua' => request::getUserAgent() // session::refresh(); session::set(session::KEY_VALIDATION, $vc); } else { if ($vc['ip'] != request::getRemoteIp()) { session::abandon(); die("Session integrity compromised. Session abandoned."); } } }